poudriere for Ports Maintenance Matthew Seaman EuroBSDCon 2019 - PowerPoint PPT Presentation

poudriere for Ports Maintenance Matthew Seaman 
 EuroBSDCon 2019 Lillehammer

Who am I? • FreeBSD Admin since the last millennium • Ports committer since 2012 • pkg(8) developer (lapsed) • Former core secretary

Who are you? • Name • Rank What do you do? • Serial Number What do you want to learn?

Ground Rules • Ask questions — hands-up any time • Stop me • if you don’t understand • if you can’t hear me • if you’re having problems with the practical bits

What are we doing today? • Three parts: • Set up — building a poudriere system • Use — build & debug ports with that system • Talk — further uses for poudriere

Set Up 1. Requirements: • git 
 ansible 
 dnspython (Ports: py36-dnspython) 
 ssh 2. Check out git repository: 
 git clone https://github.com/infracaninophile/p4pm

Set Up • Take a slip with the hostname and access key passphrase • Gain access to your VM: 
 ssh -i class N _ed25519 ec2-user@class N .black-earth.co.uk

Set Up • Edit ansible inventory: hosts/poudriere 
 change to your assigned host • Edit group variables: hosts/group_vars/all.yaml 
 create your own user account

Set up • (Optional) Run the keyscan playbook: 
 ansible-playbook playbooks/keyscan.yaml 
 Updates ~/.ssh/known_hosts This does keep a backup of your current known_hosts •

Set Up • VMs are t2.small instances installed using Colin Perceval’s ZFS AMIs 
 https://lists.freebsd.org/pipermail/freebsd-cloud/2019-February/000200.html • Essentially the same result as you’ld get from FreeBSD installation media • Di fg erences: • Added First Boot actions to grow fj lesystem and apply system patches • ec2-user account

Set Up • We need to do some basic con fj guration to make them fully capable ansible clients • Install python and sudo • Create personal user accounts • Set up pam_ssh_agent_auth for sudo

Set Up • Run the basics playbook: 
 ansible-playbook playbooks/basics.yaml \ 
 —user ec2-user —private-key=keys/class N _ed25519 • You should be able to log in as your own user, and sudo to root without being prompted for a password: 
 ssh -A username@classN.black-earth.co.uk 
 sudo -i

Set Up • The main event: run the poudriere playbook: 
 ansible-playbook playbooks/poudriere.yaml • This will take some time…

Set Up • What the playbook does: • Checks out 
 https://github.com/freebsd/freebsd-ports.git • Installs some useful packages • Installs and con fj gures poudriere • Installs and con fj gures nginx • Installs a small script to run test builds

Set Up: Installing ports • The hardest thing we’re doing today in terms of system requirements • t2.micro instance (1GB RAM) is too small • git is an arbitrary choice: any of the ways you could install a ports tree are equally valid

Set Up: Useful Packages • Development tools: 
 tmux 
 emacs-nox 
 ca_root_nss 
 mtr 
 rsync 
 arcanist-php73 
 • Customize this to your own requirements 
 hosts/group_vars/poudriere.yaml

Set Up: poudriere • Based on Vladimir Botka’s 
 https://github.com/vbotka/ansible-freebsd-poudriere • Fairly heavily modi fj ed 
 https://github.com/infracaninophile/ansible-freebsd-poudriere

Set Up: poudriere • install packages 
 poudriere 
 ccache • create self-signed TLS certi fj cate • install poudriere.conf • install make.conf • create ZFSes used by poudriere • con fj gure ccache • register ports tree created earlier • install jails — FreeBSD 11, 12 Release; i386 and amd64

Set Up: nginx • Uses the same self-signed TLS certi fj cate generated by poudriere • Con fj guration based on 
 https://github.com/freebsd/poudriere/blob/master/src/share/ examples/poudriere/nginx.conf.sample • Useable as a pkg repository, but could be improved for that purpose • Mostly interested in the build logs

Set Up: test-build.sh • Builds the listed ports in each of the jails • Builds all fm avours • Enables ‘testing’ ( bulk -t option)


 Use • Let’s build something • Not too big • Not too many dependencies 
 textproc/jq

Use • What does the poudriere web interface tell us? • Dependencies • Compilation success/failure • Diagnose most failures from the log fj le • eg. Easy fj x for plist problems

Use • Builds all of the dependencies and build tools needed • Only rebuilds dependencies when: • They are out of date • Options have changed • Jail updated • They’re another speci fj c build target

Use • Setting options • Globally: poudriere options -c some/port • Per port: 
 poudriere options -p development -c some/port • Per port and package set: 
 poudriere options -p development -z development -c some/port

Use • Options are stored in a directory tree, possibly labelled by package set and ports tree: 
 /usr/local/etc/poudriere.d/… 
 development-development-options/ 
 development-options/ 
 options/ • Only the fj rst matching directory tree is used

Use make.conf settings — hierarchy of fj les, also • labelled by package set and ports tree: 
 /usr/local/etc/poudriere.d/… 
 development-development-make.conf 
 development-make.conf 
 make.conf • The result is the combination of all of these fj les 


Use • Typical development cycle: 
 edit port 
 test build 
 fj x problems 
 test build 
 repeat until clean result 
 (…other tests…) 
 commit

Use • More complicated debugging • Poudriere con fj g speci fj cally keeps WRKDIR from failed builds: 
 SAVE_WRKDIR=yes • Good for: 
 fj xing patches 
 autoconf problems 
 etc…

Use • But wait! There’s more… • Interactive build fj xes 
 poudriere bulk -trk -C -j 12_0a -z development \ 
 -p development -i • Rarely required

Use • What the build log tells you: • Port and build metadata • Dependencies • Options / make.conf settings • Build output • Staging / Packaging • PLIST testing

Use • What the build log doesn’t tell you • Does the ported software run correctly? • But it will once port regression testing becomes standard • Too hit-and-miss to enable currently • Handling more complex CI requirements is hard

Use • All updates to the ports should be run through poudriere • Committers will do this by default • … but noting in a PR that changes pass poudriere testing always helps

Use • What about other architectures? • Assume everyone has access to amd64/i386 • Poudriere can cross build for various ARM and MIPS boards, but this is not a testing requirement • You’ll be noti fj ed by the package builders or by people that speci fj cally test on alternate architectures if problems are found

Use • What about Operating System Versions? • Test on earliest supported version from each major branch • Currently (2019-09-19) 11.1 and 12.0 • ABI compatibility guarantee means software that works on an early version of a branch will continue to work on all later ones • Except for loadable kernel modules • Converse not necessarily true: newer packages may not work on older branches

Use • Your build box needs to be newer than (or at least as new as) the latest branch you want to build packages for • HEAD usually conforms, but it’s a dev branch and there may be the odd bump in the road • Running older poudriere jails on HEAD will work fj ne

Use • Practical considerations • Some ports take ages to build 
 libreoffice • Worse: some are very early in the dependency tree 
 llvm NN 
 gcc N 
 openjdk • Just be patient

Use • If you update your build jails, poudriere will want to rebuild every package • Port build jails are not an exposed security surface • So don’t be too religious about updating • Unless you’re building statically linked software and the vulnerabilities are in system libraries • Keep your build box well updated and secured though

Use • We’ve talked about poudriere as a tool for ports maintenance • Poudriere as a tool for generating your own repo is very similar • Build a whole list of packages • Customize port options / make.conf • Only build the fm avours you need • Tweak nginx.conf to add alias matching the ${ABI} setting pkg(8) generates • Custom repo.conf and repository keys

Use • System resource requirements • Less than you might think • Core2Duo with 8GB RAM and 250GB SSDs can update a repo of around 1000 packages within a hour or so each week • Most modern desktop or laptop machines will be able to run a poudriere repo without problems

Talk • Any questions?

Talk: why “poudriere”? Previous software: “Tinderbox” Poudrière in French but the word also translates to: Gunpowder Magazine